Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0 RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the Tapatalk plugin for the WoltLab Burning Board forum software, which allows attackers to inject arbitrary JavaScript code via URL parameters. Details ======= Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0 Affected Versions: >= 1.0.0 Fixed Versions: 1.1.2 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://tapatalk.com Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-015 Advisory Status: published CVE: CVE-2014-8869 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869 Introduction ============ "Tapatalk is an app built for interacting with discussion forums on mobile devices. It differs from a forum’s mobile web skin in that it offers the speed of a native app and a streamlined unified interface for every forum a user subscribes to. Tapatalk also creates a unique eco-system that allows forums to be searched and discovered by millions of Tapatalk users which in turn promotes content, new memberships, and interactions." (from Tapatalk's Homepage) More Details ============ The Tapatalk extension includes the PHP script welcome.php at the path com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php which is accessible via the URL http://www.example.com/mobiquo/smartbanner/welcome.php on systems using the plugin. It outputs JavaScript code that includes improperly encoded values from the two URL parameters "app_android_id" and "app_kindle_url". Depending on which parameters is used, one of their values is assigned to the PHP variable $byo: ------------------------------------------------------------------------ [...]